Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan JS Tracur and exploit Java malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojan JS Tracur and exploit Java malware

Unread postby kkqewl » December 22nd, 2010, 8:48 pm

Ok, it seems like I got infected with a few Trojan viruses and Java malware that mt AVG antivirus did not detect.

I was able to do a system restore to an earlier date and got rid of most of it but not all of it. I uninstalled AVG and installed MS essentials anti virus and it detected TRojan JS / tracur.C , Trojan Dropper :Win32 Hiloti.gen and also a host of Exploit Java/ CVE issues all seem to have been sucessfully quarantined. I also ran Malware bytes and it came up with Trojan.Agent which was also quarantined. Am I clean now ? I still see a few suspicous Java entries in my HiJack log ??

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:17 PM, on 22/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Marvell\raid\svc\mvraidsvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Marvell\raid\Apache2\bin\httpd.exe
C:\WINDOWS\system32\oodag.exe
C:\USBStorage\USBDetector.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\WINDOWS\system32\DeltaIITray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Marvell\raid\Apache2\bin\httpd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [QFan Help] "C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\system32\DeltaIITray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [EPSON Stylus Photo R280 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE /FU "C:\WINDOWS\TEMP\E_S175.tmp" /EF "HKCU" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [EPSON Stylus Photo R280 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE /FU "C:\WINDOWS\TEMP\E_S175.tmp" /EF "HKCU" (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 0838236687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8777991140
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://spectro-us.webex.com/client/T26 ... eatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Application Updater - Spigot, Inc. - C:\Program Files\Application Updater\ApplicationUpdater.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Program Files\Marvell\raid\svc\mvraidsvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - C:\Program Files\Marvell\raid\Apache2\bin\httpd.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PEVSystemStart - Unknown owner - C:\ComboFix\PEV.cfxxe

--
End of file - 8613 bytes
kkqewl
Active Member
 
Posts: 9
Joined: December 22nd, 2010, 8:37 pm
Advertisement
Register to Remove

Re: Trojan JS Tracur and exploit Java malware

Unread postby deltalima » December 23rd, 2010, 6:02 pm

Checking your log - back soon.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Trojan JS Tracur and exploit Java malware

Unread postby deltalima » December 23rd, 2010, 6:16 pm

Hi kkqewl,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your malware issue.

The logs can take some time to research, so please be patient with me.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Please note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Uninstall List
  • Open HijackThis.
  • Look under System tools.
  • Click on the Open Uninstall Manager... button.
  • Click on the Save list... button.
  • It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  • Notepad will open. Please copy and paste the contents of this log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Trojan JS Tracur and exploit Java malware

Unread postby kkqewl » December 23rd, 2010, 7:00 pm

Hi deltalima,


Here is the information you requested.

Acrobat.com
Adobe AIR
Adobe AIR
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Photoshop CS
Adobe Premiere Elements 4.0
Adobe Premiere Elements 4.0
Adobe Premiere Elements 4.0 Templates
Adobe Premiere Elements 4.0 Templates
Adobe Reader 9.4.1
AI Suite
A-PDF Restrictions Remover 1.6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression 6
ASUSUpdate
Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
ATI AVIVO Codecs
Audacity 1.2.6
BassBox 6 Pro and X·over 3 Pro
Batch PPTX to PPT Converter 2010
Burn My Files
Canon Utilities PhotoStitch 3.1
Catalyst Control Center - Branding
Chinese Simplified Fonts Support For Adobe Reader 9
Combined Community Codec Pack 2008-01-24
Compatibility Pack for the 2007 Office system
COWON iAUDIO 9 User's Guide
COWON Media Center - jetAudio Basic VX
DC-Bass Source 1.1.1
DivX Codec
DivX Converter
DivX Player
Driver Detective
EPSON Print CD
EPSON Printer Software
EPSON R280 User's Guide
Exact Audio Copy 0.99pb5
Fallout 3
File Uploader
FileASSASSIN
FLAC 1.2.1b (remove only)
Free Video Converter V 1.0
FreeRIP v3.30
Google Earth
Google Update Helper
HiJackThis
HOLMImpulse
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB981793)
Intel(R) Processor ID Utility
iTunes
iWisoft Free Video Converter 1.2
Java(TM) 6 Update 23
Junk Mail filter update
LADSPA_plugins-win-0.4.15
LEAP 5.2.0.357 Uninstall
LimeWire 5.5.6
Linkage 2.5 Personal Version
Malwarebytes' Anti-Malware
marvell 61xx
Marvell 61xx MRU
M-Audio Delta Driver 6.0.2 (x86)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.3)
MP3 CD Converter Professional 5.03
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
NEFView
Nikon Message Center
Nikon Transfer
O&O Defrag Professional Edition
Order Configuration Manager (OCM)
PDF-Tools 4
Personal Translator 14 Professional
Picture Control Utility
QuickTime
r8brain 1.9
Radialpoint Security Advisor 2.5.10
RawShooter essentials 2006
ReaJPEG Pro 3.9
Realtek High Definition Audio Driver
Search Settings v1.2.3
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Sony USB Driver
Spark Analyzer Vision Mx
Speaker Workshop
SpeedFan (remove only)
Spybot - Search & Destroy
SpywareBlaster 4.4
The Lord of the Rings FREE Trial
ubCore
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB980182)
VC80CRTRedist - 8.0.50727.4053
Version 2.00.0000.0284
ViewNX
Visual Analyser
Vit Registry Fix 9.5 (remove only)
VLC media player 1.0.5
WebEx
Windows Internet Explorer 8
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
WordBiz version 1.8
Xilisoft DVD Creator
Xilisoft DVD to Zune Converter 5
Xilisoft Zune Video Converter
X-LabPro
kkqewl
Active Member
 
Posts: 9
Joined: December 22nd, 2010, 8:37 pm

Re: Trojan JS Tracur and exploit Java malware

Unread postby deltalima » December 23rd, 2010, 7:46 pm

Hi kkqewl,

Remove P2P Programs

  • I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    LimeWire 5.5.6


  • Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  • Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

  • Click on start
  • Then Run
  • In the open text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Remove" or "Change/Remove"...button to uninstall the programs listed above (in red) and any other P2P you have installed NOW.
  • Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.

Please let me know if Combofix has been run on this machine and if so what happened as it looks like it has been run but failed to complete.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Trojan JS Tracur and exploit Java malware

Unread postby kkqewl » December 23rd, 2010, 10:08 pm

Ok , uninstalled Limwire, ran OTL see results below but tried to run GMER three times and it does not seem to like my computer, prgram runs for several minutes then hangs and my computer completely freezes and the only option is to reboot, also after reboot it seems to take a long time during startup but is working fine once it gets through it's long startup.

Here are the results.

OTL logfile created on: 23/12/2010 8:16:49 PM - Run 6
OTL by OldTimer - Version 3.2.18.0 Folder = C:\Documents and Settings\Karl\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 78.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 350.03 Gb Free Space | 75.15% Space Free | Partition Type: NTFS

Computer Name: KARL-OBZ0STNSQQ | User Name: Karl | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Karl\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\DeltaIITray.exe ()
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
PRC - C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe ()
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Marvell\raid\Apache2\bin\httpd.exe (Apache Software Foundation)
PRC - C:\WINDOWS\system32\oodag.exe (O&O Software GmbH)
PRC - C:\USBStorage\USBDetector.exe (ali)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Karl\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (PEVSystemStart) -- C:\ComboFix\PEV.cfx File not found
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SRV - (Application Updater) -- C:\Program Files\Application Updater\ApplicationUpdater.exe (Spigot, Inc.)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (Marvell RAID) -- C:\Program Files\Marvell\raid\svc\mvraidsvc.exe ()
SRV - (MRUWebService) -- C:\Program Files\Marvell\raid\Apache2\bin\httpd.exe (Apache Software Foundation)
SRV - (O&O Defrag) -- C:\WINDOWS\system32\oodag.exe (O&O Software GmbH)


========== Driver Services (SafeList) ==========

DRV - (ossrv) -- C:\WINDOWS\System32\drivers\ctoss2k.sys File not found
DRV - (cpuz132) -- C:\DOCUME~1\Karl\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys File not found
DRV - (catchme) -- C:\DOCUME~1\Karl\LOCALS~1\Temp\catchme.sys File not found
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (L1e) -- C:\WINDOWS\system32\drivers\l1e51x86.sys (Atheros Communications, Inc.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (Ambfilt) -- C:\WINDOWS\system32\drivers\Ambfilt.sys (Creative)
DRV - (AtiHdmiService) -- C:\WINDOWS\system32\drivers\AtiHdmi.sys (ATI Research Inc.)
DRV - (DELTAII) Service for M-Audio Delta Driver (WDM) -- C:\WINDOWS\system32\drivers\MAudioDelta.sys (Avid Technology, Inc.)
DRV - (RTHDMIAzAudService) -- C:\WINDOWS\system32\drivers\RtKHDMI.sys (Realtek Semiconductor Corp.)
DRV - (mv61xx) -- C:\WINDOWS\system32\DRIVERS\mv61xx.sys (Marvell Semiconductor, Inc.)
DRV - (Aspi32) -- C:\WINDOWS\system32\drivers\ASPI32.SYS (Adaptec)
DRV - (61883) -- C:\WINDOWS\system32\drivers\61883.sys (Microsoft Corporation)
DRV - (Avc) -- C:\WINDOWS\system32\drivers\avc.sys (Microsoft Corporation)
DRV - (MSTAPE) -- C:\WINDOWS\system32\drivers\mstape.sys (Microsoft Corporation)
DRV - (AVCSTRM) -- C:\WINDOWS\system32\drivers\avcstrm.sys (Microsoft Corporation)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (AsIO) -- C:\WINDOWS\system32\drivers\AsIO.sys ()
DRV - (Hardlock) -- C:\WINDOWS\system32\drivers\hardlock.sys (Aladdin Knowledge Systems Ltd.)
DRV - (speedfan) -- C:\WINDOWS\system32\speedfan.sys (Windows (R) 2000 DDK provider)
DRV - (Monfilt) -- C:\WINDOWS\system32\drivers\Monfilt.sys (Creative Technology Ltd.)
DRV - (ubohci) -- C:\WINDOWS\system32\drivers\ubohci.sys (Unibrain S.A.)
DRV - (ubumapi) -- C:\WINDOWS\system32\drivers\UBUMAPI.sys (Unibrain S.A.)
DRV - (ubsbm) -- C:\WINDOWS\system32\drivers\UBSBM.sys (Unibrain S.A.)
DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.)
DRV - (MTsensor) -- C:\WINDOWS\system32\drivers\ASACPI.sys ()
DRV - (sfman) Creative SoundFont Manager Driver (WDM) -- C:\WINDOWS\system32\drivers\sfmanm.sys (Creative Technology Ltd.)
DRV - (emu10k1) Creative Interface Manager Driver (WDM) -- C:\WINDOWS\system32\drivers\ctlfacem.sys (Creative Technology Ltd.)
DRV - (emu10k) Creative SB Live! (WDM) -- C:\WINDOWS\system32\drivers\emu10k1m.sys (Creative Technology Ltd.)
DRV - (ctljystk) -- C:\WINDOWS\system32\drivers\ctljystk.sys (Creative Technology Ltd.)
DRV - (PfModNT) -- C:\WINDOWS\system32\PfModNT.sys (Creative Technology Ltd.)
DRV - (giveio) -- C:\WINDOWS\system32\giveio.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1078081533-115176313-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1078081533-115176313-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/?lang=en-ca&OCID=iehp
IE - HKU\S-1-5-21-1078081533-115176313-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-ca
IE - HKU\S-1-5-21-1078081533-115176313-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=867034"
FF - prefs.js..browser.search.update: false
FF - prefs.js..extensions.enabledItems: searchsettings@spigot.com:1.2.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/21 10:17:38 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/22 21:04:02 | 000,000,000 | ---D | M]

[2010/05/12 11:31:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karl\Application Data\Mozilla\Extensions
[2010/05/12 11:31:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karl\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/09/23 20:14:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Karl\Application Data\Mozilla\Firefox\Profiles\xps5bbe2.default\extensions
[2010/05/19 14:33:07 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Karl\Application Data\Mozilla\Firefox\Profiles\xps5bbe2.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/12/22 21:04:04 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/12/22 21:04:04 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2010/12/22 21:03:56 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/12/22 15:17:27 | 000,428,313 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14748 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKU\S-1-5-21-1078081533-115176313-839522115-1003\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O4 - HKLM..\Run: [Ai Nap] C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe ()
O4 - HKLM..\Run: [Cpu Level Up help] C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe ()
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\system32\DeltaIITray.exe ()
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O4 - HKLM..\Run: [QFan Help] C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe ()
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [USBDetector] C:\USBStorage\USBDetector.exe (ali)
O4 - HKU\.DEFAULT..\Run: [EPSON Stylus Photo R280 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE (SEIKO EPSON CORPORATION)
O4 - HKU\S-1-5-18..\Run: [EPSON Stylus Photo R280 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE (SEIKO EPSON CORPORATION)
O4 - HKU\S-1-5-21-1078081533-115176313-839522115-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 91 00 00 00 [binary data]
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 91 00 00 00 [binary data]
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1078081533-115176313-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1078081533-115176313-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: =
O7 - HKU\S-1-5-21-1078081533-115176313-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/200 ... oader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/microso ... 0838236687 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microso ... 8777991140 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/200 ... ader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/fl ... rashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/s ... wflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://spectro-us.webex.com/client/T26 ... eatgpc.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.200.241.37 24.201.245.77 24.200.243.189
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Karl\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Karl\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/11/22 23:41:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{be20da62-be4a-11de-92f0-00221595a44b}\Shell\AutoRun\command - "" = D:\PortableVault.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (OODBS) - C:\WINDOWS\System32\OODBS.exe (O&O Software GmbH)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-1078081533-115176313-839522115-1003\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/12/23 20:15:43 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Karl\Desktop\OTL.exe
[2010/12/22 21:04:26 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/12/22 21:04:02 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/12/22 21:04:02 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/12/22 21:04:02 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/12/22 21:04:02 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/12/22 21:04:02 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/12/22 03:03:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Karl\Application Data\KoshyJohn.com
[2010/12/22 00:41:25 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/12/22 00:39:23 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2010/12/21 16:07:31 | 000,000,000 | ---D | C] -- C:\Program Files\FileASSASSIN
[2010/12/20 19:47:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Karl\My Documents\Ville de Montreal
[2010/12/15 20:29:36 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2010/12/15 20:29:08 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2010/12/07 02:06:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Karl\Application Data\AVG10
[2010/12/07 02:05:38 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2010/12/07 02:05:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2010/12/04 10:56:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/11/28 12:47:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Karl\My Documents\Personal Translator
[2010/11/28 12:45:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Personal Translator
[2010/11/28 12:45:34 | 000,000,000 | ---D | C] -- C:\Program Files\linguatec
[2010/11/27 11:15:26 | 000,000,000 | ---D | C] -- C:\Program Files\MP3 CD Converter Professional
[2010/11/26 20:18:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Karl\Application Data\HOLM Acoustics
[2010/11/26 20:18:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HOLM Acoustics
[2010/11/25 02:51:24 | 000,000,000 | ---D | C] -- C:\Program Files\HOLM Acoustics
[2010/11/25 00:46:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Karl\Local Settings\Application Data\Deployment
[2009/06/06 09:07:59 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[1998/12/09 02:53:54 | 000,186,368 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAREG.DLL
[1998/12/09 02:53:54 | 000,099,840 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRAABOUT.DLL
[1998/12/09 02:53:54 | 000,070,144 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAMDMTR.DLL
[1998/12/09 02:53:54 | 000,048,640 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRALPTTR.DLL
[1998/12/09 02:53:54 | 000,031,744 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAWEBTR.DLL
[1998/12/09 02:53:54 | 000,017,920 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRASRIAL.DLL
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/23 20:15:47 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Karl\Desktop\OTL.exe
[2010/12/23 19:57:00 | 000,000,252 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2010/12/23 19:27:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/12/23 16:01:38 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{25B74EC3-C085-4B0B-9AAE-4DBCBC857922}.job
[2010/12/23 12:06:05 | 000,003,421 | ---- | M] () -- C:\Documents and Settings\Karl\Desktop\Transcend Magazine - Downhill Mountain Biking at its Fastest..url
[2010/12/23 11:03:13 | 000,002,921 | ---- | M] () -- C:\Documents and Settings\Karl\Desktop\Downhill - Ridemonkey.com (2).url
[2010/12/23 11:02:58 | 000,000,208 | ---- | M] () -- C:\Documents and Settings\Karl\Desktop\Google.url
[2010/12/23 09:59:36 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/12/23 09:58:16 | 000,453,730 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/12/23 09:58:16 | 000,074,570 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/12/23 09:54:32 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/12/23 09:53:59 | 000,000,182 | ---- | M] () -- C:\WINDOWS\System32\61xx.xml
[2010/12/23 09:53:58 | 000,000,008 | ---- | M] () -- C:\WINDOWS\mvraidver.dat
[2010/12/23 09:53:51 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/12/23 09:53:49 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/12/23 09:53:44 | 000,325,920 | ---- | M] () -- C:\WINDOWS\System32\OODBS.lor
[2010/12/23 01:24:10 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\Karl\My Documents\ApplicationUpdater.doc
[2010/12/22 21:03:55 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/12/22 21:03:55 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/12/22 21:03:55 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/12/22 21:03:55 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/12/22 21:03:55 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/12/22 19:00:38 | 000,000,281 | -HS- | M] () -- C:\boot.ini
[2010/12/22 15:17:27 | 000,428,313 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/12/22 03:19:06 | 000,000,346 | ---- | M] () -- C:\Documents and Settings\Karl\Desktop\ DROPMACHINE.COM View Forum - -- downhill racing--.url
[2010/12/22 03:03:24 | 000,001,955 | ---- | M] () -- C:\Documents and Settings\Karl\Desktop\neoSearch.lnk
[2010/12/22 00:39:51 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2010/12/22 00:17:42 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\Karl\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/12/22 00:17:42 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/21 16:07:31 | 000,000,730 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\FileASSASSIN.lnk
[2010/12/21 00:33:42 | 000,000,216 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\dfrg
[2010/12/21 00:33:42 | 000,000,168 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\dfrgr
[2010/12/21 00:32:28 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\0sx6qsHREIi
[2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/12/19 14:22:24 | 000,000,015 | ---- | M] () -- C:\WINDOWS\System32\package.lst
[2010/12/17 11:15:36 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\Karl\Desktop\iTunes.lnk
[2010/12/16 18:07:04 | 000,427,647 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20101222-151727.backup
[2010/12/15 20:38:16 | 000,149,992 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/12/15 20:28:10 | 000,427,647 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20101216-180704.backup
[2010/12/13 06:31:43 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Karl\My Documents\The modifications are simple for the Phenol.doc
[2010/12/10 19:07:26 | 005,903,287 | ---- | M] () -- C:\Documents and Settings\Karl\My Documents\The Rolling Stones - Gimme Shelter (Zeds Dead Remix).mp3
[2010/12/10 19:05:53 | 007,110,771 | ---- | M] () -- C:\Documents and Settings\Karl\My Documents\Gimme Shelter The Rolling Stones.mp3
[2010/12/10 18:56:10 | 005,954,696 | ---- | M] () -- C:\Documents and Settings\Karl\My Documents\Soulsavers-Unbalanced Pieces.mp3
[2010/12/10 18:44:31 | 008,418,565 | ---- | M] () -- C:\Documents and Settings\Karl\My Documents\Drive It Like You Stole It - The Glitch Mob (Drink the Sea).mp3
[2010/12/10 18:18:28 | 000,153,600 | ---- | M] () -- C:\Documents and Settings\Karl\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/10 11:04:46 | 000,426,903 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20101215-202810.backup
[2010/12/09 22:00:59 | 000,073,728 | ---- | M] () -- C:\Documents and Settings\Karl\My Documents\Ref.doc
[2010/12/07 02:43:15 | 000,023,552 | ---- | M] () -- C:\Documents and Settings\Karl\My Documents\Hello all.doc
[2010/12/06 14:02:18 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Karl\My Documents\Claude Dupouy.doc
[2010/12/04 22:30:36 | 001,455,936 | ---- | M] () -- C:\Documents and Settings\Karl\My Documents\LMarsden.pdf
[2010/12/03 01:35:04 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\Karl\My Documents\Sotrem Calibration Fe.doc
[2010/12/02 21:54:33 | 000,000,125 | ---- | M] () -- C:\Documents and Settings\Karl\Desktop\SCP SCIENCEexchange.url
[2010/12/01 23:47:17 | 000,426,615 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20101210-110446.backup
[2010/11/30 00:19:29 | 000,425,925 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20101201-234717.backup
[2010/11/30 00:16:50 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Karl\My Documents\John Sidney.doc
[2010/11/29 18:46:17 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\Karl\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Outlook.lnk
[2010/11/28 12:46:14 | 000,000,923 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Personal Translator.lnk
[2010/11/27 09:52:59 | 000,035,654 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2010/11/27 09:09:08 | 000,001,302 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\ss.ini
[2010/11/24 21:30:31 | 000,425,925 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20101130-001929.backup
[2010/11/24 21:30:24 | 000,425,925 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20101124-213031.backup
[2010/11/24 10:20:18 | 000,000,020 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
[2010/11/24 10:19:44 | 000,000,020 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/23 01:24:10 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Karl\My Documents\ApplicationUpdater.doc
[2010/12/22 03:03:24 | 000,001,955 | ---- | C] () -- C:\Documents and Settings\Karl\Desktop\neoSearch.lnk
[2010/12/22 00:44:42 | 000,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/12/22 00:39:51 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2010/12/22 00:17:42 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\Karl\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/12/21 16:07:31 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\FileASSASSIN.lnk
[2010/12/21 00:32:31 | 000,000,216 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\dfrg
[2010/12/21 00:32:31 | 000,000,168 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\dfrgr
[2010/12/21 00:32:28 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\0sx6qsHREIi
[2010/12/13 06:31:43 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Karl\My Documents\The modifications are simple for the Phenol.doc
[2010/12/10 19:07:26 | 005,903,287 | ---- | C] () -- C:\Documents and Settings\Karl\My Documents\The Rolling Stones - Gimme Shelter (Zeds Dead Remix).mp3
[2010/12/10 19:05:53 | 007,110,771 | ---- | C] () -- C:\Documents and Settings\Karl\My Documents\Gimme Shelter The Rolling Stones.mp3
[2010/12/10 18:55:59 | 005,954,696 | ---- | C] () -- C:\Documents and Settings\Karl\My Documents\Soulsavers-Unbalanced Pieces.mp3
[2010/12/10 18:44:31 | 008,418,565 | ---- | C] () -- C:\Documents and Settings\Karl\My Documents\Drive It Like You Stole It - The Glitch Mob (Drink the Sea).mp3
[2010/12/09 22:00:58 | 000,073,728 | ---- | C] () -- C:\Documents and Settings\Karl\My Documents\Ref.doc
[2010/12/07 02:43:15 | 000,023,552 | ---- | C] () -- C:\Documents and Settings\Karl\My Documents\Hello all.doc
[2010/12/06 14:02:17 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Karl\My Documents\Claude Dupouy.doc
[2010/12/04 22:30:36 | 001,455,936 | ---- | C] () -- C:\Documents and Settings\Karl\My Documents\LMarsden.pdf
[2010/12/02 21:54:33 | 000,000,125 | ---- | C] () -- C:\Documents and Settings\Karl\Desktop\SCP SCIENCEexchange.url
[2010/12/02 11:48:08 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\Karl\My Documents\Sotrem Calibration Fe.doc
[2010/11/29 18:46:17 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\Karl\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Outlook.lnk
[2010/11/29 11:29:17 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Karl\My Documents\John Sidney.doc
[2010/11/28 12:46:14 | 000,000,923 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Personal Translator.lnk
[2010/10/14 01:36:44 | 000,179,263 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2010/04/07 20:09:06 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Karl\Local Settings\Application Data\housecall.guid.cache
[2010/02/06 18:33:34 | 000,758,018 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/02/06 18:33:34 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/01/26 23:00:03 | 000,035,654 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2010/01/26 22:53:54 | 000,001,302 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ss.ini
[2009/10/15 09:56:23 | 000,055,296 | ---- | C] () -- C:\WINDOWS\System32\PROTOCOL.DLL
[2009/10/15 09:56:23 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\Supercom.dll
[2009/10/15 09:56:23 | 000,034,816 | ---- | C] () -- C:\WINDOWS\System32\P_3964R.dll
[2009/10/14 11:28:14 | 000,000,039 | ---- | C] () -- C:\WINDOWS\bti.ini
[2009/09/10 09:10:23 | 000,000,113 | ---- | C] () -- C:\WINDOWS\BOXPLOT.INI
[2009/08/22 17:28:24 | 000,001,769 | ---- | C] () -- C:\WINDOWS\Language_trs.ini
[2009/06/06 09:08:24 | 000,000,231 | ---- | C] () -- C:\WINDOWS\ac3api.ini
[2009/06/06 09:08:24 | 000,000,128 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2009/05/17 00:35:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ViewNX.INI
[2009/05/16 22:48:19 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Woodwinds
[2009/05/16 22:48:19 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Karl\Application Data\Vocals
[2009/05/16 22:48:19 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2009/05/16 22:46:52 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Workflows
[2009/05/16 22:46:52 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Karl\Application Data\Widgets
[2009/05/16 22:46:52 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
[2008/11/23 22:45:07 | 000,024,576 | R--- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2008/11/23 22:45:07 | 000,012,400 | R--- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2008/11/23 12:26:02 | 000,000,067 | ---- | C] () -- C:\WINDOWS\DVDRegionFree.INI
[2008/11/23 12:15:41 | 000,003,654 | ---- | C] () -- C:\WINDOWS\System32\drivers\Sonyhcp.dll
[2008/11/23 11:56:52 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2008/11/23 11:56:07 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPSPR280.ini
[2008/11/23 11:48:53 | 000,153,600 | ---- | C] () -- C:\Documents and Settings\Karl\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/23 01:05:24 | 000,001,338 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/11/23 01:05:24 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2008/11/23 01:05:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NSREX.INI
[2008/11/22 23:46:26 | 000,032,746 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2008/11/22 23:45:57 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2008/11/22 23:45:49 | 000,032,363 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008/11/22 23:45:49 | 000,010,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008/11/22 18:35:33 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/11/01 17:10:22 | 000,047,394 | ---- | C] () -- C:\WINDOWS\php.ini
[2007/10/24 18:14:38 | 000,000,236 | ---- | C] () -- C:\WINDOWS\zraidtray.ini
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[1999/01/22 18:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1996/04/03 14:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 229 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AC6124CA
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:80337C03
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6DFF1A8A

< End of report >



OTL Extras logfile created on: 23/12/2010 8:16:49 PM - Run 6
OTL by OldTimer - Version 3.2.18.0 Folder = C:\Documents and Settings\Karl\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 78.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 350.03 Gb Free Space | 75.15% Space Free | Partition Type: NTFS

Computer Name: KARL-OBZ0STNSQQ | User Name: Karl | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1078081533-115176313-839522115-1003\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\XLabPro\Bin32\xlcedi.exe" = C:\XLabPro\Bin32\xlcedi.exe:*:Enabled:XLCedi -- (Spectro Analytical Instruments, Kleve)
"C:\XLabPro\Bin32\XLComSer.exe" = C:\XLabPro\Bin32\XLComSer.exe:*:Enabled:MFC-Application X-LabPro Communication Server -- (SPECTRO A. I.)
"C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\River Past\Audio Converter Pro\AudioConverter.exe" = C:\Program Files\River Past\Audio Converter Pro\AudioConverter.exe:*:Enabled:River Past Audio Converter Pro -- File not found
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- File not found
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
"C:\XLabPro\Bin32\XLSpcView.exe" = C:\XLabPro\Bin32\XLSpcView.exe:*:Enabled:XLSpcView -- ()
"C:\XLabPro\Bin32\XLMethodAdmin.exe" = C:\XLabPro\Bin32\XLMethodAdmin.exe:*:Enabled:XLMethodAdmin -- ()
"C:\XLabPro\Bin32\XLJobMan.exe" = C:\XLabPro\Bin32\XLJobMan.exe:*:Enabled:MFC-Anwendung XLJobMan -- ()
"C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{0B85590A-3AAF-4483-923F-6B794891D1EF}" = CCC Help Norwegian
"{119BC991-FB88-43E1-64E1-001D299C96FC}" = CCC Help Chinese Standard
"{144206FC-E020-C6DC-32D3-CCD8916D777A}" = CCC Help Chinese Traditional
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{14EC807A-F88E-4FCF-8013-CB909F930E88}_is1" = PDF-Tools 4
"{1829AFBC-19F5-B1FE-73B1-30FF9DA49062}" = ATI Catalyst Install Manager
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FDA5A37-B22D-43FF-B582-B8964050DC13}" = Microsoft Games for Windows - LIVE Redistributable
"{203DE5E5-6ADB-1388-2899-D9D72BF67E87}" = CCC Help Dutch
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{237CD223-1B9D-47E8-A76C-E478B83CCEA2}" = File Uploader
"{242067FA-B640-B4EE-FCFF-BBD58C422D84}" = CCC Help French
"{25C1E7E8-59CA-2EFA-2075-995DD6608081}" = ccc-utility
"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java(TM) 6 Update 23
"{277F48D9-BF57-F7CD-0292-FD79B5415B8A}" = Skins
"{2BCD213E-0B29-914F-6EF4-12362FFED1E3}" = CCC Help Korean
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
"{310BC5E2-31AF-49BB-904D-E71EB93645DC}" = AI Suite
"{327FA5C6-57B5-B380-ABB8-87AB8ACC7A07}" = Catalyst Control Center Graphics Full Existing
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{391BF2AA-1304-471A-9CBF-084AE32813D6}" = M-Audio Delta Driver 6.0.2 (x86)
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3E2C691B-B7E6-4053-B5C3-94B8BC407E7A}" = Adobe Premiere Elements 4.0
"{3F5577A2-A090-F16B-A0B1-C92F95EB639A}" = CCC Help Spanish
"{3F9FC147-7DD3-2A2E-7C49-75A8C2EC3F27}" = CCC Help Hungarian
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{49FC50FC-F965-40D9-89B4-CBFF80941033}" = Windows Movie Maker 2.0
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4EFCD9A3-EF7A-5A7A-2550-2FEE6D6D0B1D}" = Catalyst Control Center Localization All
"{501451DE-5808-4599-B544-8BD0915B6B24}_is1" = FreeRIP v3.30
"{53480370-6CA2-47EC-BC05-02B4B9271C31}" = O&O Defrag Professional Edition
"{587178E7-B1DF-494E-9838-FA4DD36E873C}" = ASUSUpdate
"{5BC29689-52A7-85F3-E8D6-D2DF75A9FD16}" = CCC Help Finnish
"{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}" = Sony USB Driver
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{5F05C28D-DEA9-4AD6-A73A-064175988EAB}" = Search Settings v1.2.3
"{618463E7-79C0-A9B2-7EC6-61E9E27EDD6A}" = CCC Help English
"{621C02EA-AAFF-4026-A903-165D59529A16}" = Driver Detective
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{64D593B2-634B-D393-8FA7-59871749CB9D}" = CCC Help Swedish
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6CE1A03A-8686-EA72-B270-23F46F6FFDB6}" = Catalyst Control Center Graphics Full New
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{740D5800-96EC-9B5D-E6F4-B247D04C2BD2}" = CCC Help Thai
"{7423C902-C0E1-E640-39D0-0CECB8BAD921}" = CCC Help Czech
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client
"{79E4BE16-174F-4348-965B-E1A96AEF7352}" = Personal Translator 14 Professional
"{7B4F82D7-292D-248C-2B5F-DBA4EF105F2A}" = CCC Help Italian
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7E8C79CC-AC40-4E67-A959-332A366230DA}" = COWON iAUDIO 9 User's Guide
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{86A4C6D9-29EE-4719-AFA1-BA3341862B83}" = Microsoft Games for Windows - LIVE
"{87441A59-5E64-4096-A170-14EFE67200C3}" = Picture Control Utility
"{8875D660-8BFA-33FB-665D-EFC4DA0AC86B}" = ATI AVIVO Codecs
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ACC73AA-6511-7C55-B1A9-8E5D1DEAFAA3}" = The Lord of the Rings FREE Trial
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8C5FAD77-F678-4758-A296-C12F08D179E0}" = Microsoft IntelliPoint 6.2
"{8EDBA74D-0686-4C99-BFDD-F894678E5102}" = Adobe Common File Installer
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9455959E-D588-EFAE-329C-F66CC797F32A}" = Adobe Media Player
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{974C4B12-4D02-4879-85E0-61C95CC63E9E}" = Fallout 3
"{97D1B7D2-4428-4B1A-B676-1C4AC877EC5B}" = HOLMImpulse
"{9CD8B0D2-F0B4-45C7-98EE-9F7B859F086C}" = CCC Help Portuguese
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A7F4B9C2-7397-6A6B-BF5E-0CCD7A4883B4}" = CCC Help Danish
"{A92A4DB0-CD37-42D1-BE1D-603D53C24328}" = Intel(R) Processor ID Utility
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A961C6FD-C583-45F6-A0A4-5E4376C29E41}" = Catalyst Control Center - Branding
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.1
"{AC76BA86-7AD7-2447-0000-900000000003}" = Chinese Simplified Fonts Support For Adobe Reader 9
"{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B39A8794-8C03-45AF-9E2D-5455DA39D8CA}" = X-LabPro
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4776946-998D-953A-8088-E1885BE19C73}" = ccc-core-static
"{BFC97102-F7FA-8844-6713-41870818D492}" = ccc-core-preinstall
"{BFCE50CF-6574-7F1A-6A5B-5280A3D87298}" = CCC Help Polish
"{BFD2D57C-9DB0-5200-DD11-C14FD0F2A60D}" = CCC Help German
"{C09474D5-B702-4B97-A50E-209CA09742F9}" = Visual Analyser
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4A156FB-58FD-54DF-FE86-9578887AF1EA}" = Catalyst Control Center Graphics Light
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D03E7B00-CA85-4684-9321-1888873C34BD}" = ArcSoft PhotoImpression 6
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{DC6DE3E3-549B-BC59-9D10-9F7A89B9001C}" = CCC Help Russian
"{DF8195AF-8E6F-4487-A0EE-196F7E3F4B8A}" = COWON Media Center - jetAudio Basic VX
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E3BF3D81-BF3F-67E6-9E03-BD911B6E361B}" = Catalyst Control Center Core Implementation
"{E6358333-B89B-4243-8477-647C9360B5D9}_is1" = Batch PPTX to PPT Converter 2010
"{E6F69E99-0FFF-F831-C046-8C186EAE4EFE}" = CCC Help Greek
"{E9757890-7EC5-46C8-99AB-B00F07B6525C}" = Nikon Transfer
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{F007CBCE-D714-4C0B-8CE9-9B0D78116468}" = ViewNX
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F65FE148-FCF5-42F7-8803-FA0B7DA8B8A4}" = ubCore
"{F85C7118-F3DC-4ED9-AB27-3E7931EA3D88}" = Adobe Premiere Elements 4.0 Templates
"{FAF98B9B-175D-A8F8-D62A-64EE22BECEFD}" = CCC Help Turkish
"{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}" = EPSON Print CD
"{FFF0B605-CAA2-5543-91CC-2D28A2D37C81}" = CCC Help Japanese
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"A-PDF Restrictions Remover_is1" = A-PDF Restrictions Remover 1.6
"Audacity_is1" = Audacity 1.2.6
"BassBox 6 Pro and X·over 3 Pro" = BassBox 6 Pro and X·over 3 Pro
"Burn My Files_is1" = Burn My Files
"Canon PhotoStitch 3.1" = Canon Utilities PhotoStitch 3.1
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2008-01-24
"DC-Bass Source" = DC-Bass Source 1.1.1
"EPSON Printer and Utilities" = EPSON Printer Software
"Exact Audio Copy" = Exact Audio Copy 0.99pb5
"FileASSASSIN" = FileASSASSIN
"FLAC" = FLAC 1.2.1b (remove only)
"Free Video Converter_is1" = Free Video Converter V 1.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{621C02EA-AAFF-4026-A903-165D59529A16}" = Driver Detective
"InstallShield_{B39A8794-8C03-45AF-9E2D-5455DA39D8CA}" = X-LabPro
"InstallShield_{F65FE148-FCF5-42F7-8803-FA0B7DA8B8A4}" = ubCore
"Internet Scrabble Club_is1" = WordBiz version 1.8
"iWisoft Free Video Converter_is1" = iWisoft Free Video Converter 1.2
"LADSPA_plugins-win_is1" = LADSPA_plugins-win-0.4.15
"LEAP" = LEAP 5.2.0.357 Uninstall
"Linkage_is1" = Linkage 2.5 Personal Version
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MP3 CD Converter Professional" = MP3 CD Converter Professional 5.03
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"mv61xxDriver" = marvell 61xx
"mv61xxMRU" = Marvell 61xx MRU
"NEFView" = NEFView
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OCM Master-Database Update_is1" = Version 2.00.0000.0284
"Order Configuration Manager (OCM)_is1" = Order Configuration Manager (OCM)
"PremElem40" = Adobe Premiere Elements 4.0
"PremElem40Templates" = Adobe Premiere Elements 4.0 Templates
"r8brain" = r8brain 1.9
"RadialpointSecurityAdvisorService_is1" = Radialpoint Security Advisor 2.5.10
"RawShooter essentials 2006" = RawShooter essentials 2006
"ReaJPEG Pro_is1" = ReaJPEG Pro 3.9
"Silent Package Run-Time Sample" = EPSON R280 User's Guide
"Spark Analyzer Vision Mx" = Spark Analyzer Vision Mx
"Speaker Workshop" = Speaker Workshop
"SpeedFan" = SpeedFan (remove only)
"SpywareBlaster_is1" = SpywareBlaster 4.4
"Vit Registry Fix" = Vit Registry Fix 9.5 (remove only)
"VLC media player" = VLC media player 1.0.5
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xilisoft DVD Creator" = Xilisoft DVD Creator
"Xilisoft DVD to Zune Converter 5" = Xilisoft DVD to Zune Converter 5
"Xilisoft Zune Video Converter" = Xilisoft Zune Video Converter
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1078081533-115176313-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 13/07/2010 4:07:30 PM | Computer Name = KARL-OBZ0STNSQQ | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 13/07/2010 4:07:30 PM | Computer Name = KARL-OBZ0STNSQQ | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 27/09/2010 12:23:33 PM | Computer Name = KARL-OBZ0STNSQQ | Source = Google Update | ID = 20
Description =

Error - 27/09/2010 1:23:38 PM | Computer Name = KARL-OBZ0STNSQQ | Source = Google Update | ID = 20
Description =

Error - 27/09/2010 2:23:39 PM | Computer Name = KARL-OBZ0STNSQQ | Source = Google Update | ID = 20
Description =

Error - 03/11/2010 11:40:55 PM | Computer Name = KARL-OBZ0STNSQQ | Source = MsiInstaller | ID = 11706
Description = Product: Adobe Reader 9.4.0 -- Error 1706.No valid source could be
found for product Adobe Reader 9.4.0. The Windows Installer cannot continue.

Error - 26/11/2010 9:16:52 PM | Computer Name = KARL-OBZ0STNSQQ | Source = Application Error | ID = 1000
Description = Faulting application spybotsd.exe, version 1.6.2.46, faulting module
unknown, version 0.0.0.0, fault address 0x71356800.

Error - 04/12/2010 12:02:04 PM | Computer Name = KARL-OBZ0STNSQQ | Source = MsiInstaller | ID = 1013
Description = Product: AVG 2011 -- Uninstallation of the old AVG version failed
and the new installation cannot be completed. Try to uninstall the old version manually
and then launch the installation again.

Error - 22/12/2010 1:39:40 AM | Computer Name = KARL-OBZ0STNSQQ | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x80070003, P2 moac, P3 cachereset, P4 3.0.8107.0,
P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 22/12/2010 1:48:52 AM | Computer Name = KARL-OBZ0STNSQQ | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0, P2 moaccapability, P3 3.0.8107.0, P4
0, P5 0, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

[ System Events ]
Error - 21/12/2010 1:51:35 AM | Computer Name = KARL-OBZ0STNSQQ | Source = Service Control Manager | ID = 7001
Description = The MRU Web Service service depends on the AFD Networking Support
Environment service which failed to start because of the following error: %%31

Error - 21/12/2010 1:51:35 AM | Computer Name = KARL-OBZ0STNSQQ | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 21/12/2010 1:51:35 AM | Computer Name = KARL-OBZ0STNSQQ | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD AsIO Avgldx86 AvgMfx86 Avgtdix Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

Error - 21/12/2010 1:52:52 AM | Computer Name = KARL-OBZ0STNSQQ | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 21/12/2010 1:56:37 AM | Computer Name = KARL-OBZ0STNSQQ | Source = Service Control Manager | ID = 7023
Description = The Windows Driver Foundation - User-mode Driver Framework service
terminated with the following error: %%31

Error - 21/12/2010 8:14:23 AM | Computer Name = KARL-OBZ0STNSQQ | Source = Service Control Manager | ID = 7023
Description = The Windows Driver Foundation - User-mode Driver Framework service
terminated with the following error: %%31

Error - 22/12/2010 9:10:35 AM | Computer Name = KARL-OBZ0STNSQQ | Source = Service Control Manager | ID = 7023
Description = The Windows Driver Foundation - User-mode Driver Framework service
terminated with the following error: %%31

Error - 23/12/2010 10:54:20 AM | Computer Name = KARL-OBZ0STNSQQ | Source = Service Control Manager | ID = 7023
Description = The Windows Driver Foundation - User-mode Driver Framework service
terminated with the following error: %%31

Error - 23/12/2010 11:40:02 AM | Computer Name = KARL-OBZ0STNSQQ | Source = Service Control Manager | ID = 7034
Description = The Marvell RAID Event Agent service terminated unexpectedly. It
has done this 1 time(s).

Error - 23/12/2010 2:25:26 PM | Computer Name = KARL-OBZ0STNSQQ | Source = Service Control Manager | ID = 7034
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).


< End of report >
kkqewl
Active Member
 
Posts: 9
Joined: December 22nd, 2010, 8:37 pm

Re: Trojan JS Tracur and exploit Java malware

Unread postby deltalima » December 24th, 2010, 6:12 am

Hi kkqewl,

tried to run GMER three times and it does not seem to like my computer


Please run this alternative scan.

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of the report and paste it in a reply here.

Please also let me know about Combofix.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Trojan JS Tracur and exploit Java malware

Unread postby kkqewl » December 24th, 2010, 12:21 pm

Ok here are the results, also yes Combofix was run about six months ago during another malware episode and it did not run propoerley and kept freezing, at that time the only solution to my problem was to reinstall Windows and that got rid of all the viruses and malware I had , I have been clean up untill recently and was able to do a system restore earlier this week and seems to be OK but of course one never knows which is why I want to be sure etc...








RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB8F31000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 5582848 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xBF216000 C:\WINDOWS\System32\ati3duag.dll 3903488 bytes (ATI Technologies Inc. , ati3duag.dll)
0xBF9C5000 C:\WINDOWS\System32\ativvaxx.dll 2539520 bytes (Advanced Micro Devices, Inc. , Radeon Video Acceleration Universal Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF060000 C:\WINDOWS\System32\ati2cqag.dll 700416 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xA9920000 C:\WINDOWS\system32\drivers\hardlock.sys 696320 bytes (Aladdin Knowledge Systems Ltd., Hardlock Device Driver for Windows NT)
0xBF10B000 C:\WINDOWS\System32\atikvmag.dll 679936 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xB9DDD000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xACB3F000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xBF1B1000 C:\WINDOWS\System32\atiok3x2.dll 413696 bytes (Advanced Micro Devices, Inc., Ring 0 x2 component)
0xB8DAF000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xACC4A000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA975C000 C:\WINDOWS\System32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 319488 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xB8E65000 C:\WINDOWS\system32\DRIVERS\MAudioDelta.sys 299008 bytes (Avid Technology, Inc., M-Audio Delta PCI driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA8EFA000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB9ECB000 mv61xx.sys 262144 bytes (Marvell Semiconductor, Inc., Marvell Thor Windows Driver)
0xB8E0D000 C:\WINDOWS\System32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA9C39000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9DB0000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA87E9000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xACBAF000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB8EF5000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xACC22000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xACCFE000 C:\WINDOWS\system32\DRIVERS\MpFilter.sys 159744 bytes (Microsoft Corporation, Microsoft antimalware file system filter driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xACBFC000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA98FC000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB8ED1000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB8EAE000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xACBDA000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9E93000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9D96000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xACAFF000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9EB3000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xB9E6A000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB8E4E000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA920B000 C:\WINDOWS\system32\DRIVERS\UB1394.SYS 90112 bytes (Unibrain S.A., FireAPI® 1394 Class Driver (XP))
0xA9B5C000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB8F1D000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xACCA3000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xA9221000 C:\WINDOWS\system32\DRIVERS\ubohci.sys 77824 bytes (Unibrain S.A., UBOHCI WDM Miniport Driver (XP))
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9E81000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB8E3D000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA2B8000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA178000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA1A8000 C:\WINDOWS\System32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xBA0B8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xBA1C8000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xBA2E8000 C:\WINDOWS\System32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xA984C000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA188000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA9E76000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA258000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0C8000 C:\WINDOWS\System32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBA198000 C:\WINDOWS\System32\DRIVERS\l1e51x86.sys 57344 bytes (Atheros Communications, Inc., Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller ndis miniport driver)
0xBA108000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA1B8000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA1D8000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0E8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA1F8000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA298000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA168000 C:\WINDOWS\System32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0D8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA1E8000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA228000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA218000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA0F8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA2C8000 C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xB9484000 C:\WINDOWS\System32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xA9E66000 C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xBA208000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA278000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA88A4000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA118000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xA97FC000 C:\WINDOWS\system32\DRIVERS\ubumapi.sys 36864 bytes (Unibrain S.A., FireAPI® User Mode Support (XP))
0xBA2D8000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA370000 C:\WINDOWS\system32\drivers\Afc.sys 32768 bytes (Arcsoft, Inc., Arcsoft(R) ASPI Shell)
0xBA3D0000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA340000 C:\WINDOWS\System32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA380000 C:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xBA3D8000 C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA328000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA3E8000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xBA378000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xBA388000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA3A8000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA3E0000 C:\WINDOWS\system32\DRIVERS\point32.sys 24576 bytes (Microsoft Corporation, Point32.sys)
0xBA4B0000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA3C0000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA3F8000 C:\WINDOWS\System32\drivers\aspi32.sys 20480 bytes (Adaptec, ASPI for WIN32 Kernel Driver)
0xBA3B0000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xBA3C8000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA398000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA3A0000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xBA390000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA3F0000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xAA03A000 C:\WINDOWS\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0xB9795000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xAA016000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB9D52000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xA92A0000 C:\WINDOWS\system32\DRIVERS\ubsbm.sys 16384 bytes (Unibrain S.A., FireAPI® Serial Bus Manager (XP))
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB9D5E000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB9D72000 C:\WINDOWS\System32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB9D6E000 C:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9D4E000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA578000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA5F6000 C:\WINDOWS\System32\DRIVERS\ASACPI.sys 8192 bytes (-, ATK0110 ACPI Utility)
0xBA60E000 C:\WINDOWS\system32\drivers\AsIO.sys 8192 bytes
0xBA608000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA612000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA606000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA60A000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA5CE000 C:\WINDOWS\system32\PfModNT.sys 8192 bytes (Creative Technology Ltd., PCI/ISA Device Info. Service)
0xBA60C000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5AE000 speedfan.sys 8192 bytes
0xBA5F8000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5FC000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA7F9000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA794000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA671000 giveio.sys 4096 bytes
0xBA754000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0x05540000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Runtime.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 102400 bytes
0x057A0000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Wizard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 102400 bytes
0x06CB0000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Dashboard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 102400 bytes
0x00D10000 Hidden Image-->CLI.Foundation.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 110592 bytes
0x00CD0000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x8975D020 ] PID: 2792, 118784 bytes
0x037E0000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 118784 bytes
0x067D0000 Hidden Image-->CLI.Component.Dashboard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 1232896 bytes
0x04AE0000 Hidden Image-->CLI.Caste.Graphics.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 151552 bytes
0x06100000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Wizard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 1748992 bytes
0x06B60000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Dashboard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 208896 bytes
0x05F60000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Wizard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 217088 bytes
0x06C60000 Hidden Image-->CLI.Aspect.CrossDisplay.Graphics.Dashboard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 282624 bytes
0x00EA0000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x8975D020 ] PID: 2792, 28672 bytes
0x010D0000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0x8975D020 ] PID: 2792, 28672 bytes
0x00D00000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x00D30000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x038B0000 Hidden Image-->CLI.Component.Runtime.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x03CA0000 Hidden Image-->AEM.Server.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x03D70000 Hidden Image-->AEM.Plugin.WinMessages.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x03CD0000 Hidden Image-->AEM.Plugin.DPPE.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x03D50000 Hidden Image-->AEM.Plugin.Hotkeys.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x04B40000 Hidden Image-->AEM.Plugin.GD.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x04070000 Hidden Image-->DEM.Foundation.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x04090000 Hidden Image-->DEM.Graphics.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x04B10000 Hidden Image-->DEM.Graphics.I0709.dll [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x04B90000 Hidden Image-->AEM.Actions.CCAA.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x04BC0000 Hidden Image-->ResourceManagement.Foundation.Private.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x04CF0000 Hidden Image-->DEM.Graphics.I0804.dll [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x04E30000 Hidden Image-->CLI.Caste.Graphics.Runtime.Shared.Private.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x04F50000 Hidden Image-->APM.Foundation.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x04FD0000 Hidden Image-->CLI.Component.Runtime.Extension.EEU.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x05000000 Hidden Image-->AEM.Plugin.REG.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x05020000 Hidden Image-->AEM.Plugin.EEU.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x05040000 Hidden Image-->CLI.Component.Client.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x050B0000 Hidden Image-->DEM.Graphics.I0805.dll [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x05100000 Hidden Image-->DEM.Graphics.I0706.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x05150000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Runtime.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x05170000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x053C0000 Hidden Image-->DEM.Graphics.I0812.dll [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x05390000 Hidden Image-->DEM.Graphics.I0712.dll [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x053F0000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x054A0000 Hidden Image-->DEM.Graphics.I0703.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x055A0000 Hidden Image-->DEM.Graphics.I0906.dll [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x05730000 Hidden Image-->CLI.Component.Wizard.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x05770000 Hidden Image-->CLI.Caste.Graphics.Wizard.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x05A00000 Hidden Image-->CLI.Component.Dashboard.Shared.Private.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x05AB0000 Hidden Image-->CLI.Caste.Graphics.Dashboard.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x05B50000 Hidden Image-->atixclib.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 28672 bytes
0x07060000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Dashboard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 364544 bytes
0x037D0000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x8975D020 ] PID: 2792, 36864 bytes
0x03830000 Hidden Image-->CLI.Foundation.XManifest.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 36864 bytes
0x03890000 Hidden Image-->AxInterop.WBOCXLib.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 36864 bytes
0x03980000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 36864 bytes
0x04150000 Hidden Image-->Interop.WBOCXLib.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 36864 bytes
0x05080000 Hidden Image-->CLI.Aspect.CustomFormats.Graphics.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 36864 bytes
0x051B0000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 36864 bytes
0x051F0000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 36864 bytes
0x05350000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 36864 bytes
0x053A0000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Runtime.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 36864 bytes
0x05740000 Hidden Image-->CLI.Component.Wizard.Shared.Private.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 36864 bytes
0x059F0000 Hidden Image-->CLI.Component.Dashboard.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 36864 bytes
0x04A80000 Hidden Image-->CLI.Caste.Graphics.Runtime.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 372736 bytes
0x05FB0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Wizard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 372736 bytes
0x07000000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Dashboard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 372736 bytes
0x06CD0000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Dashboard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 405504 bytes
0x056C0000 Hidden Image-->CLI.Component.Wizard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 413696 bytes
0x05B60000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Wizard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 421888 bytes
0x06BA0000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Dashboard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 421888 bytes
0x05A10000 Hidden Image-->Branding.dll [ EPROCESS 0x899447A0 ] PID: 3048, 438272 bytes
0x00D70000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x8975D020 ] PID: 2792, 45056 bytes
0x00D00000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x8975D020 ] PID: 2792, 45056 bytes
0x037B0000 Hidden Image-->CCC.Implementation.DLL [ EPROCESS 0x8975D020 ] PID: 2792, 45056 bytes
0x00CD0000 Hidden Image-->CCC.Implementation.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 45056 bytes
0x00CF0000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 45056 bytes
0x00D70000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 45056 bytes
0x038C0000 Hidden Image-->ATICCCom.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 45056 bytes
0x05160000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Runtime.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 45056 bytes
0x05110000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 45056 bytes
0x05330000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Runtime.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 45056 bytes
0x04180000 Hidden Image-->ATIDEMGX.dll [ EPROCESS 0x899447A0 ] PID: 3048, 462848 bytes
0x05AC0000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Wizard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 503808 bytes
0x03870000 Hidden Image-->CLI.Foundation.Private.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 53248 bytes
0x03860000 Hidden Image-->CLI.Component.Runtime.Shared.Private.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 53248 bytes
0x03970000 Hidden Image-->AEM.Server.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 53248 bytes
0x03CC0000 Hidden Image-->AEM.Plugin.Source.Kit.Server.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 53248 bytes
0x03F50000 Hidden Image-->DEM.Graphics.I0601.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 53248 bytes
0x05030000 Hidden Image-->CLI.Component.Client.Shared.Private.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 53248 bytes
0x05070000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 53248 bytes
0x05190000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Runtime.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 53248 bytes
0x051C0000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Runtime.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 53248 bytes
0x05310000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Runtime.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 53248 bytes
0x05750000 Hidden Image-->CLI.Caste.Graphics.Wizard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 53248 bytes
0x05790000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 53248 bytes
0x060C0000 Hidden Image-->CLI.Aspect.Welcome.Graphics.Dashboard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 53248 bytes
0x070C0000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Dashboard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 585728 bytes
0x05320000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 61440 bytes
0x05380000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 61440 bytes
0x06DE0000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Dashboard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 643072 bytes
0x07330000 Hidden Image-->CLI.Aspect.OverDrive5.Graphics.Dashboard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 651264 bytes
0x03840000 Hidden Image-->CLI.Component.Runtime.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 69632 bytes
0x03810000 Hidden Image-->CLI.Component.SkinFactory.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 69632 bytes
0x04F80000 Hidden Image-->APM.Server.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 69632 bytes
0x05360000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Runtime.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 69632 bytes
0x05500000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 69632 bytes
0x05470000 Hidden Image-->CLI.Aspect.OverDrive5.Graphics.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 69632 bytes
0x05570000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 69632 bytes
0x07310000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Dashboard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 69632 bytes
0x06720000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Wizard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 700416 bytes
0x06F40000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Dashboard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 757760 bytes
0x00D80000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x8975D020 ] PID: 2792, 77824 bytes
0x00D40000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 77824 bytes
0x03900000 Hidden Image-->ADL.Foundation.dll [ EPROCESS 0x899447A0 ] PID: 3048, 77824 bytes
0x05050000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Runtime.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 77824 bytes
0x05120000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Shared.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 77824 bytes
0x054C0000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Runtime.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 77824 bytes
0x07240000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Dashboard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 831488 bytes
0x05450000 Hidden Image-->CLI.Aspect.OverDrive5.Graphics.Runtime.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 86016 bytes
0x050D0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Runtime.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 86016 bytes
0x05A90000 Hidden Image-->CLI.Caste.Graphics.Dashboard.DLL [ EPROCESS 0x899447A0 ] PID: 3048, 86016 bytes
==============================================
>Files
==============================================
!-->[Hidden] C:\WINDOWS\Prefetch\RUNDLL32.EXE-1A21921E.pf
!-->[Hidden] C:\WINDOWS\Prefetch\RUNDLL32.EXE-1DCBF21B.pf
!-->[Hidden] C:\WINDOWS\Prefetch\RUNDLL32.EXE-309FDED6.pf
!-->[Hidden] C:\WINDOWS\Prefetch\RUNDLL32.EXE-435C15DB.pf
!-->[Hidden] C:\WINDOWS\Prefetch\RUNDLL32.EXE-474F121B.pf
!-->[Hidden] C:\WINDOWS\Prefetch\RUNDLL32.EXE-47ABF173.pf
!-->[Hidden] C:\WINDOWS\Prefetch\RUNDLL32.EXE-4C3590B9.pf
!-->[Hidden] C:\WINDOWS\Temp\TMP00021B6A30AA08669BB55827
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0006ECBE, Type: Inline - RelativeJump 0x80545CBE-->80545CC5 [ntkrnlpa.exe]
[1756]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[1756]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[1756]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[1756]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[1756]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[1756]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->00000000 [shimeng.dll]
[1756]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]
kkqewl
Active Member
 
Posts: 9
Joined: December 22nd, 2010, 8:37 pm

Re: Trojan JS Tracur and exploit Java malware

Unread postby deltalima » December 24th, 2010, 12:52 pm

Hi kkqewl,

Please download this file and run it to remove Combofix.

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :services
    Application Updater - Spigot, Inc.
    :commands
    [EMPTYTEMP]
    [REBOOT]
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Now please run a new scan with HijackThis and post the log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Trojan JS Tracur and exploit Java malware

Unread postby kkqewl » December 24th, 2010, 3:00 pm

Ok, removed Combofix, and just tried to run OTL twice with script you sent and both time the program hangs after afew minutes and then a meesage appears saying the program is not responding. Also after I reboot my computer there was report generated ?

Here is the latest Hijack log.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:00:27 PM, on 24/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\USBStorage\USBDetector.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\WINDOWS\system32\DeltaIITray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Marvell\raid\svc\mvraidsvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Marvell\raid\Apache2\bin\httpd.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Marvell\raid\Apache2\bin\httpd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [QFan Help] "C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\AI Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\system32\DeltaIITray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [EPSON Stylus Photo R280 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE /FU "C:\WINDOWS\TEMP\E_S175.tmp" /EF "HKCU" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [EPSON Stylus Photo R280 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE /FU "C:\WINDOWS\TEMP\E_S175.tmp" /EF "HKCU" (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 0838236687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8777991140
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://spectro-us.webex.com/client/T26 ... eatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Program Files\Marvell\raid\svc\mvraidsvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - C:\Program Files\Marvell\raid\Apache2\bin\httpd.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

--
End of file - 8135 bytes
kkqewl
Active Member
 
Posts: 9
Joined: December 22nd, 2010, 8:37 pm

Re: Trojan JS Tracur and exploit Java malware

Unread postby deltalima » December 24th, 2010, 3:08 pm

Hi kkqewl,

tried to run OTL twice with script you sent and both time the program hangs after afew minutes


OK, no need for a log, the HijackThis log shows the service has been removed by OTL.

ESET online scannner

  • Please go Here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Trojan JS Tracur and exploit Java malware

Unread postby kkqewl » December 25th, 2010, 11:48 am

Ok, here is that log.


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=b4a4e93d0515de429036b64f8bfae9f2
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-12-25 03:46:33
# local_time=2010-12-25 10:46:33 (-0500, Eastern Standard Time)
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 64909172 64909172 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=5891 16776533 42 87 0 4392889 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=125026
# found=7
# cleaned=0
# scan_time=3968
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip Win32/Bagle.gen.zip worm (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp2.zip Win32/Bagle.gen.zip worm (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Karl\My Documents\Software\LPT.Pro.14.Reload.iso a variant of Win32/HackTool.Patcher.A application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Search Settings\SearchSettings.exe Win32/Adware.Toolbar.Dealio application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Search Settings\SearchSettingsRes409.dll Win32/Adware.Toolbar.Dealio application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Trend Micro\HijackThis\backups\backup-20101222-024551-835.dll Win32/Adware.Toolbar.Dealio application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\XPMedic\XPMedic.exe Win32/Adware.XPMedic application (unable to clean) 00000000000000000000000000000000 I
kkqewl
Active Member
 
Posts: 9
Joined: December 22nd, 2010, 8:37 pm

Re: Trojan JS Tracur and exploit Java malware

Unread postby deltalima » December 25th, 2010, 5:04 pm

Hi kkqewl,

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :files
    C:\Program Files\Search Settings
    C:\Program Files\XPMedic
    :commands
    [REBOOT]
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Trojan JS Tracur and exploit Java malware

Unread postby kkqewl » December 25th, 2010, 6:17 pm

Ok,

Just ran OTL with script as described seemed to run fine and rebooted after several seconds but no report was generated in notepad after the reboot??
kkqewl
Active Member
 
Posts: 9
Joined: December 22nd, 2010, 8:37 pm

Re: Trojan JS Tracur and exploit Java malware

Unread postby deltalima » December 25th, 2010, 6:22 pm

Please use Windows Explorer to check that the two folders have been removed.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 270 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware